<html>
<head><meta charset="utf-8"><title>Google&#x27;s &quot;know, prevent, fix&quot; · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Google&#x27;s.20.22know.2C.20prevent.2C.20fix.22.html">Google&#x27;s &quot;know, prevent, fix&quot;</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="225092283"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Google%27s%20%22know%2C%20prevent%2C%20fix%22/near/225092283" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Google&#x27;s.20.22know.2C.20prevent.2C.20fix.22.html#225092283">(Feb 03 2021 at 22:23)</a>:</h4>
<p>A blog post by Google is making rounds - they're highlighting a bunch of issues in open-source security, such as vulnerability tracking, supply chain attacks, and other stuff. Also calling for better standardization and interoperability between vulnerability databases:<br>
<a href="https://opensource.googleblog.com/2021/02/know-prevent-fix-framework-for-shifting-discussion-around-vulnerabilities-in-open-source.html">https://opensource.googleblog.com/2021/02/know-prevent-fix-framework-for-shifting-discussion-around-vulnerabilities-in-open-source.html</a></p>



<a name="225092479"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Google%27s%20%22know%2C%20prevent%2C%20fix%22/near/225092479" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Google&#x27;s.20.22know.2C.20prevent.2C.20fix.22.html#225092479">(Feb 03 2021 at 22:25)</a>:</h4>
<p>We can ride the marketing wave if we so desire, since we've been working on most of the items listed:<br>
RustSec + <a href="https://github.com/RustSec/cargo-audit">https://github.com/RustSec/cargo-audit</a> + <a href="https://github.com/Shnatsel/rust-audit">https://github.com/Shnatsel/rust-audit</a> address vulnerability tracking<br>
<a href="https://github.com/rust-secure-code/cargo-supply-chain">https://github.com/rust-secure-code/cargo-supply-chain</a> + <a href="https://github.com/crev-dev/cargo-crev">https://github.com/crev-dev/cargo-crev</a> address supply chain issues</p>



<a name="225092566"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Google%27s%20%22know%2C%20prevent%2C%20fix%22/near/225092566" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Google&#x27;s.20.22know.2C.20prevent.2C.20fix.22.html#225092566">(Feb 03 2021 at 22:25)</a>:</h4>
<p>This means we can make a blog post saying "hey we've known this all along and have actually been working on all of this"<br>
If we include some outstanding work items, this might even get us some contributors.</p>



<a name="226084869"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Google%27s%20%22know%2C%20prevent%2C%20fix%22/near/226084869" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Google&#x27;s.20.22know.2C.20prevent.2C.20fix.22.html#226084869">(Feb 12 2021 at 02:00)</a>:</h4>
<p>as it were, I feel like I've done this sort of analysis manually before, heh <a href="https://github.com/iqlusioninc/abscissa/#depencencies">https://github.com/iqlusioninc/abscissa/#depencencies</a></p>



<a name="226084875"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Google%27s%20%22know%2C%20prevent%2C%20fix%22/near/226084875" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Google&#x27;s.20.22know.2C.20prevent.2C.20fix.22.html#226084875">(Feb 12 2021 at 02:00)</a>:</h4>
<p>automation seems good</p>



<a name="226084895"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Google%27s%20%22know%2C%20prevent%2C%20fix%22/near/226084895" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Google&#x27;s.20.22know.2C.20prevent.2C.20fix.22.html#226084895">(Feb 12 2021 at 02:00)</a>:</h4>
<p>especially if it can spit out that sort of information automatically for incorporation into a README.md</p>



<a name="226084907"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Google%27s%20%22know%2C%20prevent%2C%20fix%22/near/226084907" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Google&#x27;s.20.22know.2C.20prevent.2C.20fix.22.html#226084907">(Feb 12 2021 at 02:01)</a>:</h4>
<p>(and potentially ensure it's up-to-date!)</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>